If you were talking to someone whose organization is considering Elastic SIEM, what would you say?
How would you rate it and why? Any other tips or advice?
I would say "Elastic is more a platform rather than a tool". For SIEM, Elastic is quite flexible, however you will have to create Use cases yourself (e.g. Threat hunting). Elastic nodes sizing is key in ensuring performance is not impacted.
I would advise going for the latest version, but it may or may not be backward compatible. Nowadays, version 7.12 is the latest version, and I see that it is actually not compatible with the older versions. I would rate Elastic SIEM a seven out of ten.
In our case, being a medium-sized business, it takes a lot of resources to learn how to properly use and implement it — you need to have a good understanding. They give you a very good framework and a very good solution to work with, but there's a lot of intuition that's required to actually make it work well. It requires a lot more effort than they would lead you to believe or that you would even expect. On a scale from one to ten, I would give this solution a rating of eight. This is based on my experiences from the past as we're still implementing it.
My advice to anybody who is considering this product is that it is a very competitive tool that is very new in the market and the vendor is doing their best to improve services. I highly recommend it and suggest that people choose it without a second thought. I would rate this solution an eight out of ten.
You have to decide to what level you're trying to go. Is it an SMB or larger enterprise? Because if it is a bigger enterprise there might be a lot of other cybersecurity products that are already installed on their premises. You need to check the compatibility and how it's going to integrate. Make sure it is easy to use and check to see what level you want to track. If there are incidents like unknown IPs and if you look at the logs and find there is no harm in the IPs there will be scrutiny on the endpoints. Consider what kind of team you're going to have and what their ability is to customize things, to connect to different logs. They should look at the operation and see how to customize it and connect it. Finally, consider your budget and how much you want to spend. I would rate it an eight out of ten. It is evolving every day on the security front but there are still certain areas that can be improved more. In the next release, I'd like to see more improvements so that we can do more automation and have more automatic responses. That would be more helpful so that we don't have to delay the manual sources.
This solution is complex and cannot be used by just anybody. That said, for people who don't want to buy a product or who want to do everything themselves, I would recommend it. The real problem is that its complexity means that it takes a lot of time to set up and learn to use. There is a lot of configuration and hard work. I would rate this solution an eight out of ten.
My advice to anybody who is implementing Elastic SIEM is to understand how the data works first. It is really different from other types of products. Overall, the product is very stable and it is well-liked. I think that everybody should consider using it. I would rate this solution an eight out of ten.
We all know it's really hard to get good pricing and cost information.
Please share what you can so you can help your peers.
I am the technical director of a science and technology division for the government.
Which SIEM solution would deliver the best ability to identify, protect, detect, respond and recover from a cyber attack?
Thanks! I appreciate your help.